1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27#include <linux/module.h>
28
29#include <linux/types.h>
30#include <linux/capability.h>
31#include <linux/errno.h>
32#include <linux/kernel.h>
33#include <linux/slab.h>
34#include <linux/poll.h>
35#include <linux/fcntl.h>
36#include <linux/init.h>
37#include <linux/skbuff.h>
38#include <linux/workqueue.h>
39#include <linux/interrupt.h>
40#include <linux/compat.h>
41#include <linux/socket.h>
42#include <linux/ioctl.h>
43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51
52
53
54static inline int hci_test_bit(int nr, void *addr)
55{
56 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
57}
58
59
60static struct hci_sec_filter hci_sec_filter = {
61
62 0x10,
63
64 { 0x1000d9fe, 0x0000b00c },
65
66 {
67 { 0x0 },
68
69 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
70
71 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
72
73 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
74
75 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
76
77 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
78 }
79};
80
81static struct bt_sock_list hci_sk_list = {
82 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
83};
84
85
86void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
87{
88 struct sock *sk;
89 struct hlist_node *node;
90
91 BT_DBG("hdev %p len %d", hdev, skb->len);
92
93 read_lock(&hci_sk_list.lock);
94 sk_for_each(sk, node, &hci_sk_list.head) {
95 struct hci_filter *flt;
96 struct sk_buff *nskb;
97
98 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
99 continue;
100
101
102 if (skb->sk == sk)
103 continue;
104
105
106 flt = &hci_pi(sk)->filter;
107
108 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
109 0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS), &flt->type_mask))
110 continue;
111
112 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
113 register int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
114
115 if (!hci_test_bit(evt, &flt->event_mask))
116 continue;
117
118 if (flt->opcode &&
119 ((evt == HCI_EV_CMD_COMPLETE &&
120 flt->opcode !=
121 get_unaligned((__le16 *)(skb->data + 3))) ||
122 (evt == HCI_EV_CMD_STATUS &&
123 flt->opcode !=
124 get_unaligned((__le16 *)(skb->data + 4)))))
125 continue;
126 }
127
128 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
129 continue;
130
131
132 memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1);
133
134 if (sock_queue_rcv_skb(sk, nskb))
135 kfree_skb(nskb);
136 }
137 read_unlock(&hci_sk_list.lock);
138}
139
140static int hci_sock_release(struct socket *sock)
141{
142 struct sock *sk = sock->sk;
143 struct hci_dev *hdev;
144
145 BT_DBG("sock %p sk %p", sock, sk);
146
147 if (!sk)
148 return 0;
149
150 hdev = hci_pi(sk)->hdev;
151
152 bt_sock_unlink(&hci_sk_list, sk);
153
154 if (hdev) {
155 atomic_dec(&hdev->promisc);
156 hci_dev_put(hdev);
157 }
158
159 sock_orphan(sk);
160
161 skb_queue_purge(&sk->sk_receive_queue);
162 skb_queue_purge(&sk->sk_write_queue);
163
164 sock_put(sk);
165 return 0;
166}
167
168
169static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
170{
171 struct hci_dev *hdev = hci_pi(sk)->hdev;
172
173 if (!hdev)
174 return -EBADFD;
175
176 switch (cmd) {
177 case HCISETRAW:
178 if (!capable(CAP_NET_ADMIN))
179 return -EACCES;
180
181 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
182 return -EPERM;
183
184 if (arg)
185 set_bit(HCI_RAW, &hdev->flags);
186 else
187 clear_bit(HCI_RAW, &hdev->flags);
188
189 return 0;
190
191 case HCIGETCONNINFO:
192 return hci_get_conn_info(hdev, (void __user *) arg);
193
194 case HCIGETAUTHINFO:
195 return hci_get_auth_info(hdev, (void __user *) arg);
196
197 default:
198 if (hdev->ioctl)
199 return hdev->ioctl(hdev, cmd, arg);
200 return -EINVAL;
201 }
202}
203
204static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
205{
206 struct sock *sk = sock->sk;
207 void __user *argp = (void __user *) arg;
208 int err;
209
210 BT_DBG("cmd %x arg %lx", cmd, arg);
211
212 switch (cmd) {
213 case HCIGETDEVLIST:
214 return hci_get_dev_list(argp);
215
216 case HCIGETDEVINFO:
217 return hci_get_dev_info(argp);
218
219 case HCIGETCONNLIST:
220 return hci_get_conn_list(argp);
221
222 case HCIDEVUP:
223 if (!capable(CAP_NET_ADMIN))
224 return -EACCES;
225 return hci_dev_open(arg);
226
227 case HCIDEVDOWN:
228 if (!capable(CAP_NET_ADMIN))
229 return -EACCES;
230 return hci_dev_close(arg);
231
232 case HCIDEVRESET:
233 if (!capable(CAP_NET_ADMIN))
234 return -EACCES;
235 return hci_dev_reset(arg);
236
237 case HCIDEVRESTAT:
238 if (!capable(CAP_NET_ADMIN))
239 return -EACCES;
240 return hci_dev_reset_stat(arg);
241
242 case HCISETSCAN:
243 case HCISETAUTH:
244 case HCISETENCRYPT:
245 case HCISETPTYPE:
246 case HCISETLINKPOL:
247 case HCISETLINKMODE:
248 case HCISETACLMTU:
249 case HCISETSCOMTU:
250 if (!capable(CAP_NET_ADMIN))
251 return -EACCES;
252 return hci_dev_cmd(cmd, argp);
253
254 case HCIINQUIRY:
255 return hci_inquiry(argp);
256
257 default:
258 lock_sock(sk);
259 err = hci_sock_bound_ioctl(sk, cmd, arg);
260 release_sock(sk);
261 return err;
262 }
263}
264
265static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
266{
267 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
268 struct sock *sk = sock->sk;
269 struct hci_dev *hdev = NULL;
270 int err = 0;
271
272 BT_DBG("sock %p sk %p", sock, sk);
273
274 if (!haddr || haddr->hci_family != AF_BLUETOOTH)
275 return -EINVAL;
276
277 lock_sock(sk);
278
279 if (hci_pi(sk)->hdev) {
280 err = -EALREADY;
281 goto done;
282 }
283
284 if (haddr->hci_dev != HCI_DEV_NONE) {
285 if (!(hdev = hci_dev_get(haddr->hci_dev))) {
286 err = -ENODEV;
287 goto done;
288 }
289
290 atomic_inc(&hdev->promisc);
291 }
292
293 hci_pi(sk)->hdev = hdev;
294 sk->sk_state = BT_BOUND;
295
296done:
297 release_sock(sk);
298 return err;
299}
300
301static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *addr_len, int peer)
302{
303 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
304 struct sock *sk = sock->sk;
305 struct hci_dev *hdev = hci_pi(sk)->hdev;
306
307 BT_DBG("sock %p sk %p", sock, sk);
308
309 if (!hdev)
310 return -EBADFD;
311
312 lock_sock(sk);
313
314 *addr_len = sizeof(*haddr);
315 haddr->hci_family = AF_BLUETOOTH;
316 haddr->hci_dev = hdev->id;
317
318 release_sock(sk);
319 return 0;
320}
321
322static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
323{
324 __u32 mask = hci_pi(sk)->cmsg_mask;
325
326 if (mask & HCI_CMSG_DIR) {
327 int incoming = bt_cb(skb)->incoming;
328 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), &incoming);
329 }
330
331 if (mask & HCI_CMSG_TSTAMP) {
332#ifdef CONFIG_COMPAT
333 struct compat_timeval ctv;
334#endif
335 struct timeval tv;
336 void *data;
337 int len;
338
339 skb_get_timestamp(skb, &tv);
340
341 data = &tv;
342 len = sizeof(tv);
343#ifdef CONFIG_COMPAT
344 if (msg->msg_flags & MSG_CMSG_COMPAT) {
345 ctv.tv_sec = tv.tv_sec;
346 ctv.tv_usec = tv.tv_usec;
347 data = &ctv;
348 len = sizeof(ctv);
349 }
350#endif
351
352 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
353 }
354}
355
356static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
357 struct msghdr *msg, size_t len, int flags)
358{
359 int noblock = flags & MSG_DONTWAIT;
360 struct sock *sk = sock->sk;
361 struct sk_buff *skb;
362 int copied, err;
363
364 BT_DBG("sock %p, sk %p", sock, sk);
365
366 if (flags & (MSG_OOB))
367 return -EOPNOTSUPP;
368
369 if (sk->sk_state == BT_CLOSED)
370 return 0;
371
372 if (!(skb = skb_recv_datagram(sk, flags, noblock, &err)))
373 return err;
374
375 msg->msg_namelen = 0;
376
377 copied = skb->len;
378 if (len < copied) {
379 msg->msg_flags |= MSG_TRUNC;
380 copied = len;
381 }
382
383 skb_reset_transport_header(skb);
384 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
385
386 hci_sock_cmsg(sk, msg, skb);
387
388 skb_free_datagram(sk, skb);
389
390 return err ? : copied;
391}
392
393static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
394 struct msghdr *msg, size_t len)
395{
396 struct sock *sk = sock->sk;
397 struct hci_dev *hdev;
398 struct sk_buff *skb;
399 int err;
400
401 BT_DBG("sock %p sk %p", sock, sk);
402
403 if (msg->msg_flags & MSG_OOB)
404 return -EOPNOTSUPP;
405
406 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
407 return -EINVAL;
408
409 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
410 return -EINVAL;
411
412 lock_sock(sk);
413
414 if (!(hdev = hci_pi(sk)->hdev)) {
415 err = -EBADFD;
416 goto done;
417 }
418
419 if (!test_bit(HCI_UP, &hdev->flags)) {
420 err = -ENETDOWN;
421 goto done;
422 }
423
424 if (!(skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err)))
425 goto done;
426
427 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
428 err = -EFAULT;
429 goto drop;
430 }
431
432 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
433 skb_pull(skb, 1);
434 skb->dev = (void *) hdev;
435
436 if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
437 u16 opcode = get_unaligned_le16(skb->data);
438 u16 ogf = hci_opcode_ogf(opcode);
439 u16 ocf = hci_opcode_ocf(opcode);
440
441 if (((ogf > HCI_SFLT_MAX_OGF) ||
442 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, &hci_sec_filter.ocf_mask[ogf])) &&
443 !capable(CAP_NET_RAW)) {
444 err = -EPERM;
445 goto drop;
446 }
447
448 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
449 skb_queue_tail(&hdev->raw_q, skb);
450 tasklet_schedule(&hdev->tx_task);
451 } else {
452 skb_queue_tail(&hdev->cmd_q, skb);
453 tasklet_schedule(&hdev->cmd_task);
454 }
455 } else {
456 if (!capable(CAP_NET_RAW)) {
457 err = -EPERM;
458 goto drop;
459 }
460
461 skb_queue_tail(&hdev->raw_q, skb);
462 tasklet_schedule(&hdev->tx_task);
463 }
464
465 err = len;
466
467done:
468 release_sock(sk);
469 return err;
470
471drop:
472 kfree_skb(skb);
473 goto done;
474}
475
476static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int len)
477{
478 struct hci_ufilter uf = { .opcode = 0 };
479 struct sock *sk = sock->sk;
480 int err = 0, opt = 0;
481
482 BT_DBG("sk %p, opt %d", sk, optname);
483
484 lock_sock(sk);
485
486 switch (optname) {
487 case HCI_DATA_DIR:
488 if (get_user(opt, (int __user *)optval)) {
489 err = -EFAULT;
490 break;
491 }
492
493 if (opt)
494 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
495 else
496 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
497 break;
498
499 case HCI_TIME_STAMP:
500 if (get_user(opt, (int __user *)optval)) {
501 err = -EFAULT;
502 break;
503 }
504
505 if (opt)
506 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
507 else
508 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
509 break;
510
511 case HCI_FILTER:
512 {
513 struct hci_filter *f = &hci_pi(sk)->filter;
514
515 uf.type_mask = f->type_mask;
516 uf.opcode = f->opcode;
517 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
518 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
519 }
520
521 len = min_t(unsigned int, len, sizeof(uf));
522 if (copy_from_user(&uf, optval, len)) {
523 err = -EFAULT;
524 break;
525 }
526
527 if (!capable(CAP_NET_RAW)) {
528 uf.type_mask &= hci_sec_filter.type_mask;
529 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
530 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
531 }
532
533 {
534 struct hci_filter *f = &hci_pi(sk)->filter;
535
536 f->type_mask = uf.type_mask;
537 f->opcode = uf.opcode;
538 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
539 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
540 }
541 break;
542
543 default:
544 err = -ENOPROTOOPT;
545 break;
546 }
547
548 release_sock(sk);
549 return err;
550}
551
552static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
553{
554 struct hci_ufilter uf;
555 struct sock *sk = sock->sk;
556 int len, opt;
557
558 if (get_user(len, optlen))
559 return -EFAULT;
560
561 switch (optname) {
562 case HCI_DATA_DIR:
563 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
564 opt = 1;
565 else
566 opt = 0;
567
568 if (put_user(opt, optval))
569 return -EFAULT;
570 break;
571
572 case HCI_TIME_STAMP:
573 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
574 opt = 1;
575 else
576 opt = 0;
577
578 if (put_user(opt, optval))
579 return -EFAULT;
580 break;
581
582 case HCI_FILTER:
583 {
584 struct hci_filter *f = &hci_pi(sk)->filter;
585
586 uf.type_mask = f->type_mask;
587 uf.opcode = f->opcode;
588 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
589 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
590 }
591
592 len = min_t(unsigned int, len, sizeof(uf));
593 if (copy_to_user(optval, &uf, len))
594 return -EFAULT;
595 break;
596
597 default:
598 return -ENOPROTOOPT;
599 break;
600 }
601
602 return 0;
603}
604
605static const struct proto_ops hci_sock_ops = {
606 .family = PF_BLUETOOTH,
607 .owner = THIS_MODULE,
608 .release = hci_sock_release,
609 .bind = hci_sock_bind,
610 .getname = hci_sock_getname,
611 .sendmsg = hci_sock_sendmsg,
612 .recvmsg = hci_sock_recvmsg,
613 .ioctl = hci_sock_ioctl,
614 .poll = datagram_poll,
615 .listen = sock_no_listen,
616 .shutdown = sock_no_shutdown,
617 .setsockopt = hci_sock_setsockopt,
618 .getsockopt = hci_sock_getsockopt,
619 .connect = sock_no_connect,
620 .socketpair = sock_no_socketpair,
621 .accept = sock_no_accept,
622 .mmap = sock_no_mmap
623};
624
625static struct proto hci_sk_proto = {
626 .name = "HCI",
627 .owner = THIS_MODULE,
628 .obj_size = sizeof(struct hci_pinfo)
629};
630
631static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
632 int kern)
633{
634 struct sock *sk;
635
636 BT_DBG("sock %p", sock);
637
638 if (sock->type != SOCK_RAW)
639 return -ESOCKTNOSUPPORT;
640
641 sock->ops = &hci_sock_ops;
642
643 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
644 if (!sk)
645 return -ENOMEM;
646
647 sock_init_data(sock, sk);
648
649 sock_reset_flag(sk, SOCK_ZAPPED);
650
651 sk->sk_protocol = protocol;
652
653 sock->state = SS_UNCONNECTED;
654 sk->sk_state = BT_OPEN;
655
656 bt_sock_link(&hci_sk_list, sk);
657 return 0;
658}
659
660static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
661{
662 struct hci_dev *hdev = (struct hci_dev *) ptr;
663 struct hci_ev_si_device ev;
664
665 BT_DBG("hdev %s event %ld", hdev->name, event);
666
667
668 ev.event = event;
669 ev.dev_id = hdev->id;
670 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
671
672 if (event == HCI_DEV_UNREG) {
673 struct sock *sk;
674 struct hlist_node *node;
675
676
677 read_lock(&hci_sk_list.lock);
678 sk_for_each(sk, node, &hci_sk_list.head) {
679 local_bh_disable();
680 bh_lock_sock_nested(sk);
681 if (hci_pi(sk)->hdev == hdev) {
682 hci_pi(sk)->hdev = NULL;
683 sk->sk_err = EPIPE;
684 sk->sk_state = BT_OPEN;
685 sk->sk_state_change(sk);
686
687 hci_dev_put(hdev);
688 }
689 bh_unlock_sock(sk);
690 local_bh_enable();
691 }
692 read_unlock(&hci_sk_list.lock);
693 }
694
695 return NOTIFY_DONE;
696}
697
698static const struct net_proto_family hci_sock_family_ops = {
699 .family = PF_BLUETOOTH,
700 .owner = THIS_MODULE,
701 .create = hci_sock_create,
702};
703
704static struct notifier_block hci_sock_nblock = {
705 .notifier_call = hci_sock_dev_event
706};
707
708int __init hci_sock_init(void)
709{
710 int err;
711
712 err = proto_register(&hci_sk_proto, 0);
713 if (err < 0)
714 return err;
715
716 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
717 if (err < 0)
718 goto error;
719
720 hci_register_notifier(&hci_sock_nblock);
721
722 BT_INFO("HCI socket layer initialized");
723
724 return 0;
725
726error:
727 BT_ERR("HCI socket registration failed");
728 proto_unregister(&hci_sk_proto);
729 return err;
730}
731
732void __exit hci_sock_cleanup(void)
733{
734 if (bt_sock_unregister(BTPROTO_HCI) < 0)
735 BT_ERR("HCI socket unregistration failed");
736
737 hci_unregister_notifier(&hci_sock_nblock);
738
739 proto_unregister(&hci_sk_proto);
740}
741
